Analysis
-
max time kernel
144s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
08/07/2024, 02:32
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe
Resource
win7-20240508-en
windows7-x64
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe
-
Size
465KB
-
MD5
b319d934f6bbee58ab195f29db3b393c
-
SHA1
105996028f2d2649b26ed8632d9b5fb2f6b4f924
-
SHA256
a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8
-
SHA512
95545e68322d72f674ad008378ee8ede4549ada49a79305fa4661dcdc93e51bff48ee65168620107368d91ec4897aad1b773a923fc657672dd25d7df23d588d3
-
SSDEEP
6144:VcdjegS+GHFqOILKpn/a5/VF5V4lKjIbvBhRJfzSf9x7N/I7b9M:qdqbMO8S/WNLKlUmpRe94a
Score
10/10
Malware Config
Signatures
-
Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ffpmnf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fjmaaddo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dbafjlaa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Hnpbjnpo.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Aqjdgmgd.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pedleg32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Hhckpk32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mmneda32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Poeipifl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dogpdg32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Comdkipe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Elqaca32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fgcejm32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mfdopp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bflbigdb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pddnnp32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pgegok32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gbfiaj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Jkdpanhg.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Pciifc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Bpnbkeld.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Pjldghjm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Ffmkfifa.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ioooiack.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bjijdadm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Jkgcab32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kklikejc.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qqdbiopj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Bmcnqama.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lpphap32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Qngmgjeb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lnjafd32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dobgihgp.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dkhcmgnl.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Kqqboncb.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Ihpdoh32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Fnbkddem.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Chfbgn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Mcifdj32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Clgbno32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmlgfnal.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cbgmigeq.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Dhkkbmnp.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Noqamn32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gmgninie.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Djqoll32.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Nmnclmoj.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Process not Found Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Cojhejbh.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Gaqcoc32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Idhopq32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}" Lojomkdn.exe Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad Lklejh32.exe -
Executes dropped EXE 64 IoCs
pid Process 1184 Ppamme32.exe 2968 Qhmbagfa.exe 2692 Qhooggdn.exe 2976 Aajpelhl.exe 2492 Ahchbf32.exe 2472 Alenki32.exe 2520 Abpfhcje.exe 1560 Bpfcgg32.exe 2652 Bebkpn32.exe 1748 Bokphdld.exe 1752 Bdhhqk32.exe 2384 Bkaqmeah.exe 620 Begeknan.exe 2340 Bghabf32.exe 2856 Banepo32.exe 264 Bhhnli32.exe 644 Bjijdadm.exe 1860 Bdooajdc.exe 1140 Ckignd32.exe 828 Cpeofk32.exe 2104 Ccdlbf32.exe 1516 Cjndop32.exe 1284 Coklgg32.exe 688 Cfeddafl.exe 1920 Cpjiajeb.exe 3012 Cfgaiaci.exe 976 Ckdjbh32.exe 2416 Cdlnkmha.exe 1240 Cobbhfhg.exe 1592 Dflkdp32.exe 1152 Dkhcmgnl.exe 2164 Dbbkja32.exe 2668 Dkkpbgli.exe 2620 Ddcdkl32.exe 2512 Djpmccqq.exe 2540 Ddeaalpg.exe 1192 Dfgmhd32.exe 2192 Eeqdep32.exe 1756 Emhlfmgj.exe 1980 Epfhbign.exe 856 Eiomkn32.exe 1784 Epieghdk.exe 2252 Eeempocb.exe 796 Ennaieib.exe 1596 Ealnephf.exe 2388 Fnpnndgp.exe 2008 Fmcoja32.exe 3040 Ffkcbgek.exe 1160 Fnbkddem.exe 780 Faagpp32.exe 2072 Filldb32.exe 1332 Ffpmnf32.exe 2140 Fioija32.exe 2872 Feeiob32.exe 2560 Fiaeoang.exe 2688 Gbijhg32.exe 2612 Gegfdb32.exe 1424 Glaoalkh.exe 2748 Gpmjak32.exe 2904 Gangic32.exe 272 Ghhofmql.exe 1644 Gobgcg32.exe 1812 Gaqcoc32.exe 1500 Gdopkn32.exe -
Loads dropped DLL 64 IoCs
pid Process 2136 a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe 2136 a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe 1184 Ppamme32.exe 1184 Ppamme32.exe 2968 Qhmbagfa.exe 2968 Qhmbagfa.exe 2692 Qhooggdn.exe 2692 Qhooggdn.exe 2976 Aajpelhl.exe 2976 Aajpelhl.exe 2492 Ahchbf32.exe 2492 Ahchbf32.exe 2472 Alenki32.exe 2472 Alenki32.exe 2520 Abpfhcje.exe 2520 Abpfhcje.exe 1560 Bpfcgg32.exe 1560 Bpfcgg32.exe 2652 Bebkpn32.exe 2652 Bebkpn32.exe 1748 Bokphdld.exe 1748 Bokphdld.exe 1752 Bdhhqk32.exe 1752 Bdhhqk32.exe 2384 Bkaqmeah.exe 2384 Bkaqmeah.exe 620 Begeknan.exe 620 Begeknan.exe 2340 Bghabf32.exe 2340 Bghabf32.exe 2856 Banepo32.exe 2856 Banepo32.exe 264 Bhhnli32.exe 264 Bhhnli32.exe 644 Bjijdadm.exe 644 Bjijdadm.exe 1860 Bdooajdc.exe 1860 Bdooajdc.exe 1140 Ckignd32.exe 1140 Ckignd32.exe 828 Cpeofk32.exe 828 Cpeofk32.exe 2104 Ccdlbf32.exe 2104 Ccdlbf32.exe 1516 Cjndop32.exe 1516 Cjndop32.exe 1284 Coklgg32.exe 1284 Coklgg32.exe 688 Cfeddafl.exe 688 Cfeddafl.exe 1920 Cpjiajeb.exe 1920 Cpjiajeb.exe 3012 Cfgaiaci.exe 3012 Cfgaiaci.exe 976 Ckdjbh32.exe 976 Ckdjbh32.exe 2416 Cdlnkmha.exe 2416 Cdlnkmha.exe 1240 Cobbhfhg.exe 1240 Cobbhfhg.exe 1592 Dflkdp32.exe 1592 Dflkdp32.exe 1152 Dkhcmgnl.exe 1152 Dkhcmgnl.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\Pgckjk32.exe Pddnnp32.exe File opened for modification C:\Windows\SysWOW64\Cnfqccna.exe Process not Found File created C:\Windows\SysWOW64\Flbkkpfc.dll Hmeolj32.exe File created C:\Windows\SysWOW64\Ojolhk32.exe Nceclqan.exe File created C:\Windows\SysWOW64\Ohfeog32.exe Oonafa32.exe File created C:\Windows\SysWOW64\Edfpjabf.dll Hdlhjl32.exe File created C:\Windows\SysWOW64\Jdkjnl32.exe Jonbee32.exe File created C:\Windows\SysWOW64\Kjleflod.exe Kbdmeoob.exe File opened for modification C:\Windows\SysWOW64\Iamdkfnc.exe Process not Found File created C:\Windows\SysWOW64\Phlclgfc.exe Process not Found File created C:\Windows\SysWOW64\Aonghnnp.dll Ncjqhmkm.exe File opened for modification C:\Windows\SysWOW64\Gnmgmbhb.exe Gedbdlbb.exe File created C:\Windows\SysWOW64\Pmagdbci.exe Pbkbgjcc.exe File created C:\Windows\SysWOW64\Lopdpdmj.dll Cklfll32.exe File created C:\Windows\SysWOW64\Nmepgp32.dll Process not Found File created C:\Windows\SysWOW64\Jidmcq32.dll Process not Found File opened for modification C:\Windows\SysWOW64\Ldfgebbe.exe Lahkigca.exe File created C:\Windows\SysWOW64\Nanbpedg.dll Cafecmlj.exe File opened for modification C:\Windows\SysWOW64\Lfjcfb32.exe Lmbonmll.exe File created C:\Windows\SysWOW64\Oemegc32.exe Ooclji32.exe File opened for modification C:\Windows\SysWOW64\Hlccdboi.exe Heikgh32.exe File opened for modification C:\Windows\SysWOW64\Nlhjhi32.exe Nijnln32.exe File opened for modification C:\Windows\SysWOW64\Gpncej32.exe Gnmgmbhb.exe File opened for modification C:\Windows\SysWOW64\Olpgconp.exe Okojkf32.exe File opened for modification C:\Windows\SysWOW64\Odjdmjgo.exe Okbpde32.exe File created C:\Windows\SysWOW64\Gepehphc.exe Glgaok32.exe File created C:\Windows\SysWOW64\Qppkfhlc.exe Process not Found File created C:\Windows\SysWOW64\Dlkepi32.exe Dbfabp32.exe File created C:\Windows\SysWOW64\Lpeqncja.dll Process not Found File created C:\Windows\SysWOW64\Fgkbeb32.exe Femeig32.exe File created C:\Windows\SysWOW64\Hldjnhce.exe Hfgafadm.exe File created C:\Windows\SysWOW64\Jhamckel.exe Jgqpkc32.exe File created C:\Windows\SysWOW64\Cmnmmikh.dll Ooclji32.exe File opened for modification C:\Windows\SysWOW64\Bbmcibjp.exe Process not Found File opened for modification C:\Windows\SysWOW64\Aidnohbk.exe Abjebn32.exe File created C:\Windows\SysWOW64\Eohcninh.dll Ajhiei32.exe File created C:\Windows\SysWOW64\Bbjdjjdn.exe Bcgdom32.exe File created C:\Windows\SysWOW64\Ijmkqhaf.dll Aqonbm32.exe File opened for modification C:\Windows\SysWOW64\Eojnkg32.exe Emkaol32.exe File created C:\Windows\SysWOW64\Opacnnhp.dll Bjdplm32.exe File created C:\Windows\SysWOW64\Ciqnaaen.dll Fdbhge32.exe File created C:\Windows\SysWOW64\Cfibop32.dll Process not Found File created C:\Windows\SysWOW64\Hgeadcbc.dll Qhooggdn.exe File created C:\Windows\SysWOW64\Bbnhbg32.dll Naoniipe.exe File created C:\Windows\SysWOW64\Jkoplhip.exe Jgcdki32.exe File created C:\Windows\SysWOW64\Bodgdaah.dll Dpgcip32.exe File opened for modification C:\Windows\SysWOW64\Nocnbmoo.exe Nglfapnl.exe File created C:\Windows\SysWOW64\Ncmfqkdj.exe Nmpnhdfc.exe File created C:\Windows\SysWOW64\Qniedg32.dll Aganeoip.exe File created C:\Windows\SysWOW64\Kaoacgen.dll Lnlnlc32.exe File created C:\Windows\SysWOW64\Ackmih32.exe Aqmamm32.exe File opened for modification C:\Windows\SysWOW64\Hlakpp32.exe Hkpnhgge.exe File opened for modification C:\Windows\SysWOW64\Leimip32.exe Kjdilgpc.exe File opened for modification C:\Windows\SysWOW64\Knmamp32.exe Kfeikcfa.exe File created C:\Windows\SysWOW64\Bgnfdm32.exe Badnhbce.exe File created C:\Windows\SysWOW64\Jpdkii32.exe Jjjclobg.exe File opened for modification C:\Windows\SysWOW64\Kdbbgdjj.exe Process not Found File created C:\Windows\SysWOW64\Odchbe32.exe Process not Found File opened for modification C:\Windows\SysWOW64\Odjbdb32.exe Oegbheiq.exe File created C:\Windows\SysWOW64\Gdboig32.exe Gbqbaofc.exe File created C:\Windows\SysWOW64\Oepbgcpb.dll Oqcpob32.exe File created C:\Windows\SysWOW64\Aaolidlk.exe Amcpie32.exe File opened for modification C:\Windows\SysWOW64\Mfdopp32.exe Lqhfhigj.exe File created C:\Windows\SysWOW64\Ndmecgba.exe Nlfmbibo.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\system32†Dcllbhdn.¿xe Process not Found File opened for modification C:\Windows\system32†Dcllbhdn.¿xe Process not Found -
Program crash 1 IoCs
pid pid_target Process procid_target 5176 4540 Process not Found 1282 -
Modifies registry class 64 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hbhomd32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ecpoag32.dll" Chfpoeja.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Mcnpojca.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Mlhnifmq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Jbgkcb32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Nmqpam32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Bodklh32.dll" Bleeioil.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gckemgnc.dll" Jkhldafl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biaign32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fjeefofk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Dpkibo32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mneedo32.dll" Hddlof32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Cpnidcen.dll" Cbgmigeq.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gaafhloq.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Gqlebf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Jdkjnl32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bonoflae.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Dhmfod32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Fqmpni32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oedkmfka.dll" Aekqmbod.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Meoell32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Qhooggdn.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Aplifb32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Biafnecn.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Dojofhjd.dll" Cpfaocal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bghabf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Oghiae32.dll" Ddgjdk32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Elooehob.dll" Kcdjoaee.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Lobgoh32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Hiqbndpb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bgnfdm32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fhjboh32.dll" Lbnpkmfg.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ldfgebbe.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gcghbk32.dll" Qcpofbjl.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ekknjcfh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ddbdee32.dll" Mpgmijgc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Bjmbqhif.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ghlpli32.dll" Idfbkq32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Feeiob32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Fikejl32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Egnhob32.dll" Naimccpo.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Okbpde32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Gmpjagfa.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mjceldap.dll" Opfbngfb.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Process not Found Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Libmpn32.dll" Jhjphfgi.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Process not Found Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32 Ipllekdl.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Bilmcf32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Cpfaocal.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment" Ackmih32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2136 wrote to memory of 1184 2136 a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe 29 PID 2136 wrote to memory of 1184 2136 a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe 29 PID 2136 wrote to memory of 1184 2136 a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe 29 PID 2136 wrote to memory of 1184 2136 a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe 29 PID 1184 wrote to memory of 2968 1184 Ppamme32.exe 30 PID 1184 wrote to memory of 2968 1184 Ppamme32.exe 30 PID 1184 wrote to memory of 2968 1184 Ppamme32.exe 30 PID 1184 wrote to memory of 2968 1184 Ppamme32.exe 30 PID 2968 wrote to memory of 2692 2968 Qhmbagfa.exe 31 PID 2968 wrote to memory of 2692 2968 Qhmbagfa.exe 31 PID 2968 wrote to memory of 2692 2968 Qhmbagfa.exe 31 PID 2968 wrote to memory of 2692 2968 Qhmbagfa.exe 31 PID 2692 wrote to memory of 2976 2692 Qhooggdn.exe 32 PID 2692 wrote to memory of 2976 2692 Qhooggdn.exe 32 PID 2692 wrote to memory of 2976 2692 Qhooggdn.exe 32 PID 2692 wrote to memory of 2976 2692 Qhooggdn.exe 32 PID 2976 wrote to memory of 2492 2976 Aajpelhl.exe 33 PID 2976 wrote to memory of 2492 2976 Aajpelhl.exe 33 PID 2976 wrote to memory of 2492 2976 Aajpelhl.exe 33 PID 2976 wrote to memory of 2492 2976 Aajpelhl.exe 33 PID 2492 wrote to memory of 2472 2492 Ahchbf32.exe 34 PID 2492 wrote to memory of 2472 2492 Ahchbf32.exe 34 PID 2492 wrote to memory of 2472 2492 Ahchbf32.exe 34 PID 2492 wrote to memory of 2472 2492 Ahchbf32.exe 34 PID 2472 wrote to memory of 2520 2472 Alenki32.exe 35 PID 2472 wrote to memory of 2520 2472 Alenki32.exe 35 PID 2472 wrote to memory of 2520 2472 Alenki32.exe 35 PID 2472 wrote to memory of 2520 2472 Alenki32.exe 35 PID 2520 wrote to memory of 1560 2520 Abpfhcje.exe 36 PID 2520 wrote to memory of 1560 2520 Abpfhcje.exe 36 PID 2520 wrote to memory of 1560 2520 Abpfhcje.exe 36 PID 2520 wrote to memory of 1560 2520 Abpfhcje.exe 36 PID 1560 wrote to memory of 2652 1560 Bpfcgg32.exe 37 PID 1560 wrote to memory of 2652 1560 Bpfcgg32.exe 37 PID 1560 wrote to memory of 2652 1560 Bpfcgg32.exe 37 PID 1560 wrote to memory of 2652 1560 Bpfcgg32.exe 37 PID 2652 wrote to memory of 1748 2652 Bebkpn32.exe 38 PID 2652 wrote to memory of 1748 2652 Bebkpn32.exe 38 PID 2652 wrote to memory of 1748 2652 Bebkpn32.exe 38 PID 2652 wrote to memory of 1748 2652 Bebkpn32.exe 38 PID 1748 wrote to memory of 1752 1748 Bokphdld.exe 39 PID 1748 wrote to memory of 1752 1748 Bokphdld.exe 39 PID 1748 wrote to memory of 1752 1748 Bokphdld.exe 39 PID 1748 wrote to memory of 1752 1748 Bokphdld.exe 39 PID 1752 wrote to memory of 2384 1752 Bdhhqk32.exe 40 PID 1752 wrote to memory of 2384 1752 Bdhhqk32.exe 40 PID 1752 wrote to memory of 2384 1752 Bdhhqk32.exe 40 PID 1752 wrote to memory of 2384 1752 Bdhhqk32.exe 40 PID 2384 wrote to memory of 620 2384 Bkaqmeah.exe 41 PID 2384 wrote to memory of 620 2384 Bkaqmeah.exe 41 PID 2384 wrote to memory of 620 2384 Bkaqmeah.exe 41 PID 2384 wrote to memory of 620 2384 Bkaqmeah.exe 41 PID 620 wrote to memory of 2340 620 Begeknan.exe 42 PID 620 wrote to memory of 2340 620 Begeknan.exe 42 PID 620 wrote to memory of 2340 620 Begeknan.exe 42 PID 620 wrote to memory of 2340 620 Begeknan.exe 42 PID 2340 wrote to memory of 2856 2340 Bghabf32.exe 43 PID 2340 wrote to memory of 2856 2340 Bghabf32.exe 43 PID 2340 wrote to memory of 2856 2340 Bghabf32.exe 43 PID 2340 wrote to memory of 2856 2340 Bghabf32.exe 43 PID 2856 wrote to memory of 264 2856 Banepo32.exe 44 PID 2856 wrote to memory of 264 2856 Banepo32.exe 44 PID 2856 wrote to memory of 264 2856 Banepo32.exe 44 PID 2856 wrote to memory of 264 2856 Banepo32.exe 44
Processes
-
C:\Users\Admin\AppData\Local\Temp\a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe"C:\Users\Admin\AppData\Local\Temp\a82151f7a003051253fac4c8507e693ba6f4410b5446118084f39116c71476e8.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\SysWOW64\Ppamme32.exeC:\Windows\system32\Ppamme32.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Windows\SysWOW64\Qhmbagfa.exeC:\Windows\system32\Qhmbagfa.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2968 -
C:\Windows\SysWOW64\Qhooggdn.exeC:\Windows\system32\Qhooggdn.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\Aajpelhl.exeC:\Windows\system32\Aajpelhl.exe5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976 -
C:\Windows\SysWOW64\Ahchbf32.exeC:\Windows\system32\Ahchbf32.exe6⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2492 -
C:\Windows\SysWOW64\Alenki32.exeC:\Windows\system32\Alenki32.exe7⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\Abpfhcje.exeC:\Windows\system32\Abpfhcje.exe8⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\Bpfcgg32.exeC:\Windows\system32\Bpfcgg32.exe9⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1560 -
C:\Windows\SysWOW64\Bebkpn32.exeC:\Windows\system32\Bebkpn32.exe10⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\SysWOW64\Bokphdld.exeC:\Windows\system32\Bokphdld.exe11⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1748 -
C:\Windows\SysWOW64\Bdhhqk32.exeC:\Windows\system32\Bdhhqk32.exe12⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Windows\SysWOW64\Bkaqmeah.exeC:\Windows\system32\Bkaqmeah.exe13⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2384 -
C:\Windows\SysWOW64\Begeknan.exeC:\Windows\system32\Begeknan.exe14⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:620 -
C:\Windows\SysWOW64\Bghabf32.exeC:\Windows\system32\Bghabf32.exe15⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2340 -
C:\Windows\SysWOW64\Banepo32.exeC:\Windows\system32\Banepo32.exe16⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\Bhhnli32.exeC:\Windows\system32\Bhhnli32.exe17⤵
- Executes dropped EXE
- Loads dropped DLL
PID:264 -
C:\Windows\SysWOW64\Bjijdadm.exeC:\Windows\system32\Bjijdadm.exe18⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:644 -
C:\Windows\SysWOW64\Bdooajdc.exeC:\Windows\system32\Bdooajdc.exe19⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1860 -
C:\Windows\SysWOW64\Ckignd32.exeC:\Windows\system32\Ckignd32.exe20⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1140 -
C:\Windows\SysWOW64\Cpeofk32.exeC:\Windows\system32\Cpeofk32.exe21⤵
- Executes dropped EXE
- Loads dropped DLL
PID:828 -
C:\Windows\SysWOW64\Ccdlbf32.exeC:\Windows\system32\Ccdlbf32.exe22⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2104 -
C:\Windows\SysWOW64\Cjndop32.exeC:\Windows\system32\Cjndop32.exe23⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1516 -
C:\Windows\SysWOW64\Coklgg32.exeC:\Windows\system32\Coklgg32.exe24⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1284 -
C:\Windows\SysWOW64\Cfeddafl.exeC:\Windows\system32\Cfeddafl.exe25⤵
- Executes dropped EXE
- Loads dropped DLL
PID:688 -
C:\Windows\SysWOW64\Cpjiajeb.exeC:\Windows\system32\Cpjiajeb.exe26⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1920 -
C:\Windows\SysWOW64\Cfgaiaci.exeC:\Windows\system32\Cfgaiaci.exe27⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3012 -
C:\Windows\SysWOW64\Ckdjbh32.exeC:\Windows\system32\Ckdjbh32.exe28⤵
- Executes dropped EXE
- Loads dropped DLL
PID:976 -
C:\Windows\SysWOW64\Cdlnkmha.exeC:\Windows\system32\Cdlnkmha.exe29⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2416 -
C:\Windows\SysWOW64\Cobbhfhg.exeC:\Windows\system32\Cobbhfhg.exe30⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1240 -
C:\Windows\SysWOW64\Dflkdp32.exeC:\Windows\system32\Dflkdp32.exe31⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1592 -
C:\Windows\SysWOW64\Dkhcmgnl.exeC:\Windows\system32\Dkhcmgnl.exe32⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
- Loads dropped DLL
PID:1152 -
C:\Windows\SysWOW64\Dbbkja32.exeC:\Windows\system32\Dbbkja32.exe33⤵
- Executes dropped EXE
PID:2164 -
C:\Windows\SysWOW64\Dkkpbgli.exeC:\Windows\system32\Dkkpbgli.exe34⤵
- Executes dropped EXE
PID:2668 -
C:\Windows\SysWOW64\Ddcdkl32.exeC:\Windows\system32\Ddcdkl32.exe35⤵
- Executes dropped EXE
PID:2620 -
C:\Windows\SysWOW64\Djpmccqq.exeC:\Windows\system32\Djpmccqq.exe36⤵
- Executes dropped EXE
PID:2512 -
C:\Windows\SysWOW64\Ddeaalpg.exeC:\Windows\system32\Ddeaalpg.exe37⤵
- Executes dropped EXE
PID:2540 -
C:\Windows\SysWOW64\Dfgmhd32.exeC:\Windows\system32\Dfgmhd32.exe38⤵
- Executes dropped EXE
PID:1192 -
C:\Windows\SysWOW64\Eeqdep32.exeC:\Windows\system32\Eeqdep32.exe39⤵
- Executes dropped EXE
PID:2192 -
C:\Windows\SysWOW64\Emhlfmgj.exeC:\Windows\system32\Emhlfmgj.exe40⤵
- Executes dropped EXE
PID:1756 -
C:\Windows\SysWOW64\Epfhbign.exeC:\Windows\system32\Epfhbign.exe41⤵
- Executes dropped EXE
PID:1980 -
C:\Windows\SysWOW64\Eiomkn32.exeC:\Windows\system32\Eiomkn32.exe42⤵
- Executes dropped EXE
PID:856 -
C:\Windows\SysWOW64\Epieghdk.exeC:\Windows\system32\Epieghdk.exe43⤵
- Executes dropped EXE
PID:1784 -
C:\Windows\SysWOW64\Eeempocb.exeC:\Windows\system32\Eeempocb.exe44⤵
- Executes dropped EXE
PID:2252 -
C:\Windows\SysWOW64\Ennaieib.exeC:\Windows\system32\Ennaieib.exe45⤵
- Executes dropped EXE
PID:796 -
C:\Windows\SysWOW64\Ealnephf.exeC:\Windows\system32\Ealnephf.exe46⤵
- Executes dropped EXE
PID:1596 -
C:\Windows\SysWOW64\Fnpnndgp.exeC:\Windows\system32\Fnpnndgp.exe47⤵
- Executes dropped EXE
PID:2388 -
C:\Windows\SysWOW64\Fmcoja32.exeC:\Windows\system32\Fmcoja32.exe48⤵
- Executes dropped EXE
PID:2008 -
C:\Windows\SysWOW64\Ffkcbgek.exeC:\Windows\system32\Ffkcbgek.exe49⤵
- Executes dropped EXE
PID:3040 -
C:\Windows\SysWOW64\Fnbkddem.exeC:\Windows\system32\Fnbkddem.exe50⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1160 -
C:\Windows\SysWOW64\Faagpp32.exeC:\Windows\system32\Faagpp32.exe51⤵
- Executes dropped EXE
PID:780 -
C:\Windows\SysWOW64\Filldb32.exeC:\Windows\system32\Filldb32.exe52⤵
- Executes dropped EXE
PID:2072 -
C:\Windows\SysWOW64\Ffpmnf32.exeC:\Windows\system32\Ffpmnf32.exe53⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1332 -
C:\Windows\SysWOW64\Fioija32.exeC:\Windows\system32\Fioija32.exe54⤵
- Executes dropped EXE
PID:2140 -
C:\Windows\SysWOW64\Feeiob32.exeC:\Windows\system32\Feeiob32.exe55⤵
- Executes dropped EXE
- Modifies registry class
PID:2872 -
C:\Windows\SysWOW64\Fiaeoang.exeC:\Windows\system32\Fiaeoang.exe56⤵
- Executes dropped EXE
PID:2560 -
C:\Windows\SysWOW64\Gbijhg32.exeC:\Windows\system32\Gbijhg32.exe57⤵
- Executes dropped EXE
PID:2688 -
C:\Windows\SysWOW64\Gegfdb32.exeC:\Windows\system32\Gegfdb32.exe58⤵
- Executes dropped EXE
PID:2612 -
C:\Windows\SysWOW64\Glaoalkh.exeC:\Windows\system32\Glaoalkh.exe59⤵
- Executes dropped EXE
PID:1424 -
C:\Windows\SysWOW64\Gpmjak32.exeC:\Windows\system32\Gpmjak32.exe60⤵
- Executes dropped EXE
PID:2748 -
C:\Windows\SysWOW64\Gangic32.exeC:\Windows\system32\Gangic32.exe61⤵
- Executes dropped EXE
PID:2904 -
C:\Windows\SysWOW64\Ghhofmql.exeC:\Windows\system32\Ghhofmql.exe62⤵
- Executes dropped EXE
PID:272 -
C:\Windows\SysWOW64\Gobgcg32.exeC:\Windows\system32\Gobgcg32.exe63⤵
- Executes dropped EXE
PID:1644 -
C:\Windows\SysWOW64\Gaqcoc32.exeC:\Windows\system32\Gaqcoc32.exe64⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Executes dropped EXE
PID:1812 -
C:\Windows\SysWOW64\Gdopkn32.exeC:\Windows\system32\Gdopkn32.exe65⤵
- Executes dropped EXE
PID:1500 -
C:\Windows\SysWOW64\Gkihhhnm.exeC:\Windows\system32\Gkihhhnm.exe66⤵PID:2792
-
C:\Windows\SysWOW64\Gmgdddmq.exeC:\Windows\system32\Gmgdddmq.exe67⤵PID:1136
-
C:\Windows\SysWOW64\Geolea32.exeC:\Windows\system32\Geolea32.exe68⤵PID:1112
-
C:\Windows\SysWOW64\Gkkemh32.exeC:\Windows\system32\Gkkemh32.exe69⤵PID:1208
-
C:\Windows\SysWOW64\Gphmeo32.exeC:\Windows\system32\Gphmeo32.exe70⤵PID:1148
-
C:\Windows\SysWOW64\Hiqbndpb.exeC:\Windows\system32\Hiqbndpb.exe71⤵
- Modifies registry class
PID:1004 -
C:\Windows\SysWOW64\Hmlnoc32.exeC:\Windows\system32\Hmlnoc32.exe72⤵PID:2836
-
C:\Windows\SysWOW64\Hpkjko32.exeC:\Windows\system32\Hpkjko32.exe73⤵PID:2056
-
C:\Windows\SysWOW64\Hcifgjgc.exeC:\Windows\system32\Hcifgjgc.exe74⤵PID:2956
-
C:\Windows\SysWOW64\Hkpnhgge.exeC:\Windows\system32\Hkpnhgge.exe75⤵
- Drops file in System32 directory
PID:1088 -
C:\Windows\SysWOW64\Hlakpp32.exeC:\Windows\system32\Hlakpp32.exe76⤵PID:2820
-
C:\Windows\SysWOW64\Hckcmjep.exeC:\Windows\system32\Hckcmjep.exe77⤵PID:2892
-
C:\Windows\SysWOW64\Hlcgeo32.exeC:\Windows\system32\Hlcgeo32.exe78⤵PID:2404
-
C:\Windows\SysWOW64\Hobcak32.exeC:\Windows\system32\Hobcak32.exe79⤵PID:2144
-
C:\Windows\SysWOW64\Hgilchkf.exeC:\Windows\system32\Hgilchkf.exe80⤵PID:2732
-
C:\Windows\SysWOW64\Hjhhocjj.exeC:\Windows\system32\Hjhhocjj.exe81⤵PID:2124
-
C:\Windows\SysWOW64\Hlfdkoin.exeC:\Windows\system32\Hlfdkoin.exe82⤵PID:2920
-
C:\Windows\SysWOW64\Hacmcfge.exeC:\Windows\system32\Hacmcfge.exe83⤵PID:1844
-
C:\Windows\SysWOW64\Hlhaqogk.exeC:\Windows\system32\Hlhaqogk.exe84⤵PID:3068
-
C:\Windows\SysWOW64\Hkkalk32.exeC:\Windows\system32\Hkkalk32.exe85⤵PID:1648
-
C:\Windows\SysWOW64\Icbimi32.exeC:\Windows\system32\Icbimi32.exe86⤵PID:776
-
C:\Windows\SysWOW64\Idceea32.exeC:\Windows\system32\Idceea32.exe87⤵PID:832
-
C:\Windows\SysWOW64\Iknnbklc.exeC:\Windows\system32\Iknnbklc.exe88⤵PID:3048
-
C:\Windows\SysWOW64\Inljnfkg.exeC:\Windows\system32\Inljnfkg.exe89⤵PID:2232
-
C:\Windows\SysWOW64\Idfbkq32.exeC:\Windows\system32\Idfbkq32.exe90⤵
- Modifies registry class
PID:1576 -
C:\Windows\SysWOW64\Ihankokm.exeC:\Windows\system32\Ihankokm.exe91⤵PID:1740
-
C:\Windows\SysWOW64\Ikpjgkjq.exeC:\Windows\system32\Ikpjgkjq.exe92⤵PID:2852
-
C:\Windows\SysWOW64\Iajcde32.exeC:\Windows\system32\Iajcde32.exe93⤵PID:2328
-
C:\Windows\SysWOW64\Idhopq32.exeC:\Windows\system32\Idhopq32.exe94⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2604 -
C:\Windows\SysWOW64\Iggkllpe.exeC:\Windows\system32\Iggkllpe.exe95⤵PID:2352
-
C:\Windows\SysWOW64\Iblpjdpk.exeC:\Windows\system32\Iblpjdpk.exe96⤵PID:2324
-
C:\Windows\SysWOW64\Igihbknb.exeC:\Windows\system32\Igihbknb.exe97⤵PID:2640
-
C:\Windows\SysWOW64\Ijgdngmf.exeC:\Windows\system32\Ijgdngmf.exe98⤵PID:2116
-
C:\Windows\SysWOW64\Icpigm32.exeC:\Windows\system32\Icpigm32.exe99⤵PID:2244
-
C:\Windows\SysWOW64\Ifnechbj.exeC:\Windows\system32\Ifnechbj.exe100⤵PID:1984
-
C:\Windows\SysWOW64\Jnemdecl.exeC:\Windows\system32\Jnemdecl.exe101⤵PID:444
-
C:\Windows\SysWOW64\Jofiln32.exeC:\Windows\system32\Jofiln32.exe102⤵PID:296
-
C:\Windows\SysWOW64\Jgnamk32.exeC:\Windows\system32\Jgnamk32.exe103⤵PID:756
-
C:\Windows\SysWOW64\Jmjjea32.exeC:\Windows\system32\Jmjjea32.exe104⤵PID:3024
-
C:\Windows\SysWOW64\Joifam32.exeC:\Windows\system32\Joifam32.exe105⤵PID:2120
-
C:\Windows\SysWOW64\Jjojofgn.exeC:\Windows\system32\Jjojofgn.exe106⤵PID:1744
-
C:\Windows\SysWOW64\Jiakjb32.exeC:\Windows\system32\Jiakjb32.exe107⤵PID:2684
-
C:\Windows\SysWOW64\Jcgogk32.exeC:\Windows\system32\Jcgogk32.exe108⤵PID:2680
-
C:\Windows\SysWOW64\Jfekcg32.exeC:\Windows\system32\Jfekcg32.exe109⤵PID:2496
-
C:\Windows\SysWOW64\Jicgpb32.exeC:\Windows\system32\Jicgpb32.exe110⤵PID:2756
-
C:\Windows\SysWOW64\Jkbcln32.exeC:\Windows\system32\Jkbcln32.exe111⤵PID:2896
-
C:\Windows\SysWOW64\Jnqphi32.exeC:\Windows\system32\Jnqphi32.exe112⤵PID:1492
-
C:\Windows\SysWOW64\Jfghif32.exeC:\Windows\system32\Jfghif32.exe113⤵PID:864
-
C:\Windows\SysWOW64\Jkdpanhg.exeC:\Windows\system32\Jkdpanhg.exe114⤵
- Adds autorun key to be loaded by Explorer.exe on startup
PID:2348 -
C:\Windows\SysWOW64\Jnclnihj.exeC:\Windows\system32\Jnclnihj.exe115⤵PID:1536
-
C:\Windows\SysWOW64\Kemejc32.exeC:\Windows\system32\Kemejc32.exe116⤵PID:1924
-
C:\Windows\SysWOW64\Kgkafo32.exeC:\Windows\system32\Kgkafo32.exe117⤵PID:1156
-
C:\Windows\SysWOW64\Kjjmbj32.exeC:\Windows\system32\Kjjmbj32.exe118⤵PID:2932
-
C:\Windows\SysWOW64\Kneicieh.exeC:\Windows\system32\Kneicieh.exe119⤵PID:2832
-
C:\Windows\SysWOW64\Keoapb32.exeC:\Windows\system32\Keoapb32.exe120⤵PID:2636
-
C:\Windows\SysWOW64\Kcbakpdo.exeC:\Windows\system32\Kcbakpdo.exe121⤵PID:2624
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-